The EDPB welcomes improvements made by US authorities, but still finds a number of concerns need to be addressed.
Background: The EU–US Privacy Shield is the agreement through which European authorities recognise the US as an ‘adequate destination’ for EU citizens’ personal data. The framework was set out in 2016 to replace the Safe Harbour agreement, which was struck down by the European Courts of Justice since it did not provide sufficient safeguards. Compared with Safe Harbour, the Privacy Shield involves stronger oversight by the European Commission, through an annual review process, and additional requirements for US businesses and the US administration.
What does the EDPB have to say? While the EDPB does not have a final say in the annual reviews of the agreement (its staff participate in the review alongside the EC), its position is strongly influential due to the powers the GDPR conferred to it. In its report, the EDPB found some signs of progress (e.g. that the Department of Commerce and the FTC have increased the amount of monthly spot checks); however, there remain areas in which improvement is needed. In particular, there is a lack of oversight in substance, since the checks are focused mainly on formal aspects. So called ‘onward transfers’, i.e. transfers of data to third countries, also require further oversight. Strikingly, the EDPB notes there remain strong limitations on the rights that data subject should have under the GDPR, due to lack of definition and of specific rules; these concerns were initially flagged in 2016, and have not yet been addressed.
Data access by public authorities is also a concern: The EDPB notes there are insufficient protections for individuals in surveillance programs. Also, more transparency is required to ensure that access to EU citizens’ data is not indiscriminate and generalised.
Next steps: The next review of the Privacy Shield will take place in September 2020. The EC is likely to take the EDPB’s views on board when carrying out the review.